GHAMS - 200.324.736/01: Difference between revisions

From GDPRhub
No edit summary
Line 75: Line 75:
The data subject had a business credit card issued by the controller. In 2021, the controller asked the data subject to identify themselves online by taking a picture of the ID and then taking a selfie of themselves. The data subject wanted to upload a copy of the ID with a watermark on it for fraud prevention purposes (saying, for example: “copy for [the controller]”). The controller, on the other hand, rejected this copy, arguing that the data subject should upload a copy without any writing on it.
The data subject had a business credit card issued by the controller. In 2021, the controller asked the data subject to identify themselves online by taking a picture of the ID and then taking a selfie of themselves. The data subject wanted to upload a copy of the ID with a watermark on it for fraud prevention purposes (saying, for example: “copy for [the controller]”). The controller, on the other hand, rejected this copy, arguing that the data subject should upload a copy without any writing on it.


Therefore, the data subject promoted legal proceedings before the District Court of Amsterdam (''Rechtbank Amsterdam - Rb. Amsterdam''), seeking the court to declare that the controller cannot request an ID copy without the watermark and that the controller should not block the credit card. On 20 April 2022, the District Court of Amsterdam dismissed the data subject’s request.
Therefore, the data subject brought legal proceedings before the District Court of Amsterdam (''Rechtbank Amsterdam - Rb. Amsterdam''), seeking the court to declare that the controller cannot request an ID copy without the watermark and that the controller should not block the credit card. On 20 April 2022, the District Court of Amsterdam dismissed the data subject’s request.


The data subject appealed the decision before the Court of Appeal of Amsterdam (''Gerechtshof Amsterdam - GHAMS''). They argued that the provisions of the [https://wetten.overheid.nl/BWBR0024282/2022-11-01 Money Laundering and Terrorist Financing Prevention Act (''Wet ter voorkoming van witwassen en financieren van terrorisme – Wwft'')] do not require that the identification process is performed in the way envisaged by the controller. Therefore, the legal basis provided for by [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]] cannot be used, since there is no legal obligation to require this kind of identification.
The data subject appealed the decision before the Court of Appeal of Amsterdam (''Gerechtshof Amsterdam - GHAMS''). They argued that the provisions of the [https://wetten.overheid.nl/BWBR0024282/2022-11-01 Money Laundering and Terrorist Financing Prevention Act (''Wet ter voorkoming van witwassen en financieren van terrorisme – Wwft'')] do not require that the identification process is performed in the way envisaged by the controller. Therefore, the legal basis provided for by [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]] cannot be used, since there is no legal obligation to require this kind of identification.
Line 90: Line 90:
Thirdly, the court agreed with the controller’s argument. It held that, since there is an added value in using this ID scanning tool, this use may be considered necessary within the meaning of [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]] in order to comply with its obligation to conduct a customer due diligence under the Wwft. The court pointed out that, due to the large amount of customers, the controller has a legitimate interest in organizing the identification and verification procedure as uniformly as possible.
Thirdly, the court agreed with the controller’s argument. It held that, since there is an added value in using this ID scanning tool, this use may be considered necessary within the meaning of [[Article 6 GDPR#1c|Article 6(1)(c) GDPR]] in order to comply with its obligation to conduct a customer due diligence under the Wwft. The court pointed out that, due to the large amount of customers, the controller has a legitimate interest in organizing the identification and verification procedure as uniformly as possible.


Fourthly, as for the retention issue, the court noted that the controller is obliged to keep a copy of the proof of identity whose authenticity it has verified by means of the scanner pursuant to [https://wetten.overheid.nl/BWBR0024282/2022-11-01 Article 33(1) Wwft]. However, the court highlighted that the controller is obliged to store this data securely.
Fourthly, as for the retention issue, the court noted that the controller is obliged to keep a copy of the proof of identity whose authenticity it has verified by means of the scan pursuant to [https://wetten.overheid.nl/BWBR0024282/2022-11-01 Article 33(1) Wwft]. However, the court highlighted that the controller is obliged to store this data securely.


Therefore, the court dismissed the appeal and upheld the judgement of the District Court of Amsterdam.
Therefore, the court dismissed the appeal and upheld the judgement of the District Court of Amsterdam.

Revision as of 14:17, 19 August 2024

GHAMS - 200.324.736/01
Courts logo1.png
Court: GHAMS (Netherlands)
Jurisdiction: Netherlands
Relevant Law: Article 6(1)(c) GDPR
Article 13(1)(a) Directive (EU) 2015/849
Artikel 33(1) Wet ter voorkoming van witwassen en financieren van terrorisme
Decided: 30.04.2024
Published: 30.07.2024
Parties: Servicekosten Consultancy V.O.F.
International Card Services B.V.
National Case Number/Name: 200.324.736/01
European Case Law Identifier: ECLI:NL:GHAMS:2024:1165
Appeal from: Rb. Amsterdam (Netherlands)‎
C/13/718627 / HA ZA 22-458
Appeal to: Unknown
Original Language(s): Dutch
Original Source: Rechtspraak.nl (in Dutch)
Initial Contributor: fb

A court ruled that a credit card issuer can request its clients to provide a non-watermarked copy of their ID card for anti-money laundering purposes relying on the legal basis provided for by Article 6(1)(c) GDPR.

English Summary

Facts

The data subject had a business credit card issued by the controller. In 2021, the controller asked the data subject to identify themselves online by taking a picture of the ID and then taking a selfie of themselves. The data subject wanted to upload a copy of the ID with a watermark on it for fraud prevention purposes (saying, for example: “copy for [the controller]”). The controller, on the other hand, rejected this copy, arguing that the data subject should upload a copy without any writing on it.

Therefore, the data subject brought legal proceedings before the District Court of Amsterdam (Rechtbank Amsterdam - Rb. Amsterdam), seeking the court to declare that the controller cannot request an ID copy without the watermark and that the controller should not block the credit card. On 20 April 2022, the District Court of Amsterdam dismissed the data subject’s request.

The data subject appealed the decision before the Court of Appeal of Amsterdam (Gerechtshof Amsterdam - GHAMS). They argued that the provisions of the Money Laundering and Terrorist Financing Prevention Act (Wet ter voorkoming van witwassen en financieren van terrorisme – Wwft) do not require that the identification process is performed in the way envisaged by the controller. Therefore, the legal basis provided for by Article 6(1)(c) GDPR cannot be used, since there is no legal obligation to require this kind of identification.

Moreover, they argued that the controller should not store the copy of the ID.

The controller pointed out that the electronic technique used in the scanning of the ID has currently the highest reliability in the field of authentication and that the use of this technique enables it to recognize high value forgeries of IDs better than with the use of persons trained and educated for this purpose.

Holding

First of all, the court noted that the Wwft does not prescribe a way in which the identification should be conducted. Moreover, it pointed out that neither the GDPR nor the Wwft confer the data subject a right to a non-online identification.

Secondly, the court noted that Article 13(1)(a) AML IV Directive (EU) 2015/849 allows the controller to perform the identification through electronic means.

Thirdly, the court agreed with the controller’s argument. It held that, since there is an added value in using this ID scanning tool, this use may be considered necessary within the meaning of Article 6(1)(c) GDPR in order to comply with its obligation to conduct a customer due diligence under the Wwft. The court pointed out that, due to the large amount of customers, the controller has a legitimate interest in organizing the identification and verification procedure as uniformly as possible.

Fourthly, as for the retention issue, the court noted that the controller is obliged to keep a copy of the proof of identity whose authenticity it has verified by means of the scan pursuant to Article 33(1) Wwft. However, the court highlighted that the controller is obliged to store this data securely.

Therefore, the court dismissed the appeal and upheld the judgement of the District Court of Amsterdam.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.

COURT OF APPEAL AMSTERDAM

civil law and tax law department, team I

case number: 200.324.736/01

case number Amsterdam District Court: C/13/718627/ HA ZA 22-458

judgment of the multi-member civil chamber of 30 April 2024

in the case of
1 SERVICEKOSTEN CONSULTANCY V.O.F.,

established in Hoofddorp,

2. [appellant 2],

residing in [place of residence],

appellants,

attorney: mr. B.O. Eschweiler in Amsterdam,

against

INTERNATIONAL CARD SERVICES B.V.,

established in Amsterdam,

respondent,

attorney: mr. A.L. Bremmer in Amsterdam.

The parties will hereinafter be referred to as SKC, [appellant 2] (jointly: [appellants]) and ICS.
1 The case in brief

[appellants] has had a business credit card from ICS since 2015. In 2021, ICS asked [appellants] to identify themselves online. [appellants] objects to the manner in which this identification takes place and how his data is processed, in particular to the scanning of [appellant 2]'s identity document, whereby a copy of the identity document is stored. [appellants] wants to be able to provide a certified copy of the identity document himself. ICS has not accepted this. ICS has announced that it will block the credit card and possibly terminate the agreement. The court has dismissed [appellants]'s claims, with which he aims to prevent this. 2 The appeal proceedings

[Appellants] filed an appeal by summons dated 1 March 2023 against the judgment of 11 January 2023 of the Amsterdam District Court, rendered under the above-mentioned case number between SKC and [appellant 2] as defendants in opposition (originally plaintiffs) and ICS as plaintiff in opposition (originally defendant).

The parties then submitted the following documents:

- statement of grievances;

- statement of defence.

During the oral hearing of 8 March 2024, the parties had their lawyers, Mr Eschweiler, explain the case on the basis of submitted speaking notes.

Finally, judgment was requested.
3 Facts

The court assumes the following facts.
3.1.

SKC, of which [appellant 2] is a partner, has held a business credit card with ICS, a subsidiary of ABN AMRO Bank N.V., since 2015. The credit card is in the name of [appellant 2] Servicekosten Consultancy and is used by [appellant 2] for business payments.
3.2.

[appellant 2] also holds a private credit card with ICS, of which he and his spouse are each cardholders.
3.3.

The General Card Terms and Conditions ICS of January 2021 (hereinafter: the general terms and conditions) apply to the agreements with [appellants].
3.4.

In 2020, ICS started (re)checking the identity of its customers. In an email message dated 4 May 2021, ICS requested SKC to check and supplement the company details. After [appellant 2] had supplemented the SKC data, he received an email from ICS the same day requesting him to identify himself online. This email reads, insofar as relevant here:

“(…) Now it is time for the next step: online identification. This step is also necessary to comply with the requirements of the Money Laundering and Terrorist Financing (Prevention) Act (Wwft). This email explains exactly what needs to be done. Thank you in advance for your cooperation.

Secure online identification – this is how it works

In order to continue using your Card(s), it is important that you identify yourself before 3 June 2021. Online identification is secure and easy and only takes a few minutes:

1. Retrieve your personal validation code in My ICS Business: log in as a Contact Person and click on the ‘Retrieve codes’ button.

2. View the explanation on icsbusiness.nl/id and click on the Start online identification button. Please note: identification is only possible with a smartphone.

(…)

What do we do with your data?

At ICS, we consider your privacy important. That is why we ensure that we process your data carefully. You can find more information about this on icsbusiness.nl/id and icsbusiness.nl/privacy-statement (…)”
3.5.

According to the explanation provided by ICS on its website, online identification involves the following in short. The customer downloads the “ICS Identify” app on a smartphone. The customer enters their date of birth and the personal validation code received. The customer then chooses which ID they wish to use for identification. The customer takes a photo of the original ID. A photo of a photo or a copy of the ID will not be approved. The ID must be unwritten. In addition, the customer takes a photo of themselves with the smartphone (selfie). Here too, a photo of a photo will not be approved. Finally, the customer saves both photos in the app (upload).
3.6.

Furthermore, the following can be read on the ICS website under the heading “frequently asked questions” about online identification, insofar as relevant here:

“What do you use the photo of my ID for?

We use the photo of your ID for identification and checking your data. We use the photo to check whether your ID is genuine and whether it really belongs to you. We then store the photo as proof of your identification. We handle the photos you take during online identification and the other data you share with us with care. You can read more about this in our Privacy Statement.

Good to know: the photo you take of the ID, and we store, will have a watermark. So that the document can only be used for your online identification at ICS. The watermark looks like this (…)

How long do you store my identification?

We store the photo of yourself and the photo of your ID with the watermark in our systems for as long as you are a customer of ours. We then store the photos for another 7 years. This is because, like other companies, we are obliged to keep our administration for 7 years (…)”
3.7.

In an email dated 25 May 2021, ICS sent a reminder to SKC, in which ICS repeated its request for online identification. In this email, ICS further wrote, insofar as relevant:

“(…) Prevent the Card(s) from being blocked

In order to continue using your company’s Card(s), it is important that identification takes place before 3 June 2021. After that, we will unfortunately have to block your company’s Card(s) and possibly terminate our agreement with you. (…)”
3.8.

[appellant 2] did not identify himself online before 3 June 2021. [appellant 2] expressed his objections to ICS uploading an unwritten copy of his identity document. In support of this, [appellant 2] referred to the website of the Dutch Data Protection Authority (hereinafter: AP), in particular the following passages:

“Can I write something on a copy of my identity document?

Yes, you can. You always have the right to write a text on the copy of your identity document. This protects the copy against identity fraud.

In some cases, an organisation or company has a legal basis to process a complete copy of your identity document for a specific purpose.

For example, when you enter into employment with a company. Your employer must then keep a copy of your identity document.

But even in those cases, you always have the right to write a text on the copy of your identity document. For example: ‘Copy for [employer name] of [date]’.

This protects the copy against identity fraud, because the complete copy cannot simply be used for another purpose.

Please note: all personal data (such as the photo and the BSN) on the described copy must be legible. The photo must also be sufficiently visible to identify you.

What you write on the copy must therefore not detract from the identifying function of the copy. (…)

Can an organisation refuse a written copy of my identity document?

No, that is not allowed. If that organisation has a legal basis to process a complete copy of the identity document, then a written copy is sufficient for this.

You can therefore choose to write on the copy. This is also recommended, because it protects the copy against identity fraud. (…)”
3.9.

In response to [appellant 2]'s objections, ICS explained to [appellant 2] in its e-mail messages of 15 and 16 June 2021, among other things, why it is necessary for him to identify himself online and why he is not allowed to write on the identity document:

“Why can't you write on the identity document?

You cannot write on the identity document. As previously stated, we can only identify digitally. During identification, the identity document must be checked for authenticity. If you write something on the document, this will prevent the authenticity of the document from being established. (…)”
3.10.

In an email dated 22 June 2021, ICS proposed two alternatives for online identification, namely identification at home or identification at the notary. In the first variant, an employee of the company AMP engaged by ICS visits the customer to identify him. The employee uses the same software as for online identification (via the app). In the second variant, the customer can identify himself at the notary, who will draw up a deed of this. In both cases, the identity document is checked for authenticity by means of a scanner. [appellant 2] responded in an email on the same day and stated, in short, that the alternatives offered by ICS were not negotiable.
3.11.

After his complaint was rejected, [appellant 2] called in his legal expenses insurer DAS. Following a letter from DAS dated 30 July 2021, ICS indicated in an email dated 11 August 2021 that it would not block either the credit card or the private credit card for the time being, pending a substantive response from DAS.
3.12.

In an email dated 24 September 2021, DAS sent the following message on behalf of [appellant 2]:

“(…) In view of the foregoing, I request that you confirm to me within two weeks of today that you will not block the client’s credit card(s) and that you will accept a written copy of the client’s identity document (after physical identification of the client and verification of the authenticity of the identity document have taken place at his home, at your office or at an ABN AMRO office in the Hoofddorp/Amsterdam region). (…)”
3.13.

In response, ICS indicated on the same day that it would not accept any alternatives other than identification at home by an AMP employee or identification at the notary as described above under 3.10 and again rejected [appellant 2]’s complaint. 3.14

The AP website states the following about identification at a bank:

“Copy of identity document upon identification

During the client investigation, the financial institution or service provider must record a number of your details. The Wwft states that this may be done by making a copy, scan or photo (hereinafter referred to as a ‘copy’) of your identity document. This allows the financial institution or service provider to prove that your identity has been established.”
4 First instance
4.1.

[appellants] requested in first instance that the court, by judgment, provisionally enforceable:

I. declare that ICS cannot require [appellants] to identify themselves in the manner prescribed by ICS;

II. declare that [appellant 2] is entitled to require (physical) identification, in the context of which a copy and/or scan of the original identity document, without it being certified, is omitted;

III. declares that [appellant 2] is entitled to apply a certification mark to a copy of the identity document that ICS is storing pursuant to Article 33 Wwft;

IV. ICS prohibits blocking the credit card and terminating the legal relationship between the parties, solely because [appellants] do not wish to comply with the identity procedure prescribed by ICS;

V. orders ICS to pay the costs of the proceedings.
4.2.

By default judgment of 20 April 2022, [appellants]' claims were granted in full and ICS was ordered to pay the legal costs.
4.3.

After ICS filed an objection, the court annulled the default judgment in the contested judgment and dismissed [appellants]' claims, with [appellants] being ordered to pay the legal costs of the objection procedure.
5 Assessment
5.1.

[appellants] raised five grounds of appeal. [appellants] has concluded that the contested judgment should be annulled and, as the court understands it, that the default judgment should be confirmed, with an order – provisionally enforceable – against ICS to pay the legal costs with interest.
5.2.

ICS has concluded that the contested judgment should be confirmed, with an order – provisionally enforceable – against [appellants] to pay the legal costs.
5.3.

In view of what [appellants] states in grievance I about the content of the e-mail from his representative of 24 September 2021, the court has adjusted the description thereof in 3.12. However, this grievance cannot lead to the annulment of the contested judgment, given the assessment below.
5.4.

With grounds II and III, [appellants] argue that the provisions of the Money Laundering and Terrorist Financing (Prevention) Act (Wwft) do not oblige ICS to use the identification and verification procedure that takes place online and/or in which electronic identification means are used, so that the processing of [appellant 2]'s personal data that takes place in this process is not necessary to comply with a statutory obligation, within the meaning of Article 6 paragraph 1 under c of the General Data Protection Regulation (GDPR). This processing is therefore not lawful, and [appellants] was therefore entitled to refuse to cooperate, according to [appellants]. With ground III, [appellants] also argues, as the court understands it, that the use of a scanner to verify the identity document is not in accordance with the principle of proportionality that must be observed when applying the Wwft. With ground IV, [appellants] argues that Article 33 Wwft does not oblige ICS to store a copy of [appellant 2]'s identity document. Furthermore, with this grievance, [appellants] contest the court's judgment that [appellants] has insufficiently substantiated his position that he cannot check whether ICS applies a watermark to the copy of the identity document and that he also cannot check whether the software used by ICS can undo the applied watermark. Finally, [appellants] argues, with grievance V, that the information published on the AP website supports his position that he can suffice by providing a copy of the identity document that he has certified himself.

These grievances lend themselves to joint treatment.
5.5.

The court first notes that it has been established between the parties that ICS is obliged to conduct a client investigation into [appellants] on the basis of Articles 3 and 38 Wwft, and that this investigation must enable ICS to identify [appellant 2] and verify his identity. It is also agreed between the parties that the lawfulness of the data processing by ICS must be tested against Article 6 paragraph 1 under c GDPR, so that the court will also assume this. The Wwft does not prescribe (per case) how an institution such as ICS must conduct the client investigation; the Wwft only determines the result of the investigation. If an institution cannot meet its obligation to identify and verify, it must terminate the relationship with the client (Article 5 paragraph 3 Wwft). It is also important that the Wwft or the GDPR do not give rise to a right to physical identification.
5.6.

Based on Article 11 paragraph 1 Wwft, the identity of [appellant 2] must be verified on the basis of the documents referred to in Article 4 paragraph 1 of the Implementing Regulation, such as a passport, Dutch identity card or Dutch driving licence. In view of the provisions of Article 13 paragraph 1 sub a of Directive (EU) 2015/849 (the Fourth Anti-Money Laundering Directive), as amended by Directive (EU) 2018/843, ICS is permitted to use electronic identification means for identification and verification. ICS has substantiated that the electronic technology used to scan the identity document currently has the highest reliability in the field of authenticity checking and that the use of this technology enables it to recognise high-quality forgeries of identity documents better than using persons trained and educated for this purpose. [appellants] has not contested this, or at least not sufficiently contested it. Given the degree of freedom that ICS is entitled to in fulfilling its obligation to identify and verify under the Wwft, and the added value of using the electronic technique of scanning the identity document chosen by it over other forms of authenticity check such as a physical check by a person, this use can be considered necessary within the meaning of Article 6 paragraph 1 sub c GDPR in order to comply with its obligation to perform a client investigation under the Wwft. The court takes into account that ICS, given the large number of clients for whom such an investigation must be carried out and the need to be able to account for this to the supervisory authority, has a legitimate interest in organizing the identification and verification procedure as uniformly as possible. The fact that ICS's identification and verification procedure could possibly have been organized differently does not mean that the procedure that ICS has chosen does not meet this requirement of necessity.
5.7.

Under Article 33 paragraph 1 Wwft, ICS is obliged to record in a retrievable manner the documents and data that were used to comply with the obligation to conduct a client investigation. This means that ICS must keep a copy of the identity document that it has checked for authenticity using the scanner and with which it has established the identity of the client. ICS has an interest in making this copy itself by making and storing the copy at the same time as scanning and checking the identity document for authenticity, because this guarantees that the copy that ICS keeps is actually the copy of the identity document that ICS has used for identification and verification. ICS cannot be expected, as [appellants] propose, to accept a copy of the identity document certified by [appellants]. ICS would then have to carry out an additional (manual) check to determine whether this is actually a copy of the identity document that [appellants] presented for identification and verification. This leaves room for errors, which can be prevented by making a copy when scanning the identity document. The method used by ICS can therefore be considered necessary within the meaning of Article 6 paragraph 1 under c GDPR in order to comply with its obligation to retain evidence relating to the customer due diligence carried out under the Wwft. ICS must ensure that it stores this copy of the identity document securely (EBA Guidelines on the use of remote customer acceptance solutions pursuant to Article 13, paragraph 1, of Directive (EU) 2015/849, par. 26). ICS explained that the copy is stored securely by applying a watermark and that [appellants] can check this by exercising his right of inspection under the GDPR. [appellants] has not contested this with sufficient reasons. The court does not consider his suggestion that the watermark applied by ICS can possibly be removed with software to be sufficient in this regard. Moreover, this also applies to a trademark that [appellants] themselves would affix to a copy of the identity document.
5.8.

It does not follow from the passages from the AP website cited by [appellants], also in view of the passages cited by ICS (see 3.14), that [appellants] can suffice with providing a certified copy of [appellant 2]'s identity document for the purpose of storage and preservation by ICS. Moreover, what [appellants] argue with regard to the AP cannot affect the lawfulness of the identification and verification procedure against [appellants], as follows from the previous assessment. The same applies to the fact that ICS, according to the AP's decision of 18 December 2023, failed to carry out a data protection impact assessment within the meaning of Article 35 GDPR prior to its identification and verification process.
5.9.

In view of the foregoing, ICS complies with the relevant provisions of the Wwft and AVG with the alternative it offered, in which an employee of the company AMP engaged by ICS visits the customer to identify him. The grievances therefore fail, so that the contested judgment will be upheld. The general offer of proof by [appellants] does not relate to statements that, if proven, would lead to a different judgment. [appellants] was unsuccessful in the appeal and will therefore be ordered to pay the costs of the appeal. The court estimates these costs as follows:

- court fee € 783,-

- lawyer's fee € 2,428,- (rate II, 2 points)

Total € 3,211,-
6 Decision

The court:

upholds the contested judgment;

orders [appellants] to pay the costs of the appeal proceedings, to date set at €3,211 on the side of ICS and at €178 for additional fees, to be increased by €92 for additional fees and the costs of the service of the writ if the costs award is not complied with within fourteen days of this judgment and service of this judgment takes place, and declares this award provisionally enforceable.

This judgment was rendered by Mrs. M.C.H. Broesterhuizen, S.C.H. Molin and Y. Steeg-Tijms and pronounced in public by the presiding judge on 30 April 2024.